All critical infrastructure asset (CI asset) owners, operators, and direct interest holders must meet their legal obligations under the
Security of Critical Infrastructure Act 2018 (the SOCI Act). The obligations that apply to your business will depend on the kind of CI asset that you own, operate, or have a direct interest in.
These obligations seek to make risk management, preparedness, prevention and resilience business as usual for the owners and operators of CI assets. They will also improve information exchange between industry and government to build a more comprehensive understanding of the national threat environment.
The obligations that you must meet will depend on whether you are a responsible entity or a direct interest holder for a CI asset, and the type of CI asset.
Responsible entities must provide operational information in relation to the asset. The responsible entity for each asset class will vary. The definition for the responsible entity for each asset class can be found in section 12L of the SOCI Act.
A direct interest holder is an entity (e.g. individual, company or trust) that holds either:
- a direct or joint interest of at least 10% in the asset, together with any associates
- an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.
For more information about what a critical infrastructure asset is, go to our page on the Security of Critical Infrastructure Act 2018 (SOCI).
If you are not sure whether these obligations apply to your critical infrastructure asset, read our Critical Infrastructure Asset Class Definition Guidance (1014KB PDF).
Obligation to notify data service providers
Entities must notify external data service providers if they are storing or processing business critical data for a CI asset. This ensures that companies that handle sensitive data are aware that they may also have obligations under the SOCI Act. It will also ensure that they treat the security of the data appropriately.
This obligation applies to all CI assets.
For more information on how this obligation might apply to you, read the Obligation to notify data storage or processing providers Factsheet (156KB PDF).
Positive security obligations
There are three positive security obligations which apply to most CI assets.
